[openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()

Stephan Mühlstrasser stm at pdflib.com
Tue Feb 24 08:35:37 UTC 2015

Am 18.02.15 um 13:19 schrieb Stephan Mühlstrasser:
> Unfortunately the "-no_explicit" command line option is not documented:
> https://www.openssl.org/docs/apps/ocsp.html
> What is the meaning of setting the OCSP_NOEXPLICIT flag resp. using the
> "-no_explicit" command line option. What exactly is checked by the
> X509_check_trust() call above with respect to the relevant RFCs?

As there is no documentation and as noone seems to know the meaning of 
the -no_explicit for "openssl ocsp", should I file a documentation 
defect in RT for that?

If I understand the code in OCSP_basic_verify() that is depending on the 
OCSP_NOEXPLICIT flag correctly, it checks the root CA for the presence 
of the OCSPSigning flag in the extended key usage field. I could not 
find anything in RFC 6960 and RFC 2560 that would mandate such a check 
for the root CA certificate. Only the OCSP signing certificate must have 
OCSPSigning in the extended key usage field.

So maybe it is even a bug in the code itself?


More information about the openssl-users mailing list